[转载]Keyboard Interrupt Hook using I/O APIC

bini

Keyboard Interrupt Hook using I/O APIC(ZT)
: x4 }: ?2 z) `3 h
0 z1 @0 X* o0 p  n  M, ^: P8 ZKeyboard Interrupt Hook using I/O APIC
: ]7 Z! q$ c1 W5 a; k' H9 Q
2 p6 w8 b% ^6 o% ^By: chpie
" `  k/ y$ X# h' M, v+ |Keyboard Interrupt Hooking by manipulating the I/O APIC
( L& L- T" W/ P6 |3 b0 Z: ztested on the winXP, Pentium D Hyper-threading Enabled.
* D, b; b" f" y0 H7 n# m! r

Summary :: Using the 8259a compatible PIC to be deliver the interrupt
signal by Delivery mode of the I/O APIC to be the ExtINT,
the interrupt related by the IRQ 1 able to be not refer
the I/O APIC's Redirection Table.

- It is higher priority of the hooking than the direct
modification of the I/O APIC's vector.
) w6 m! G& z" j' u- The vector can be hidden on the thread getting the keyboard
- u; m4 m( l" svector from the I/O APIC.

Flow ::

  S4 d3 H% T. q* i# y1. IRQ 1 Assert !!!
9 [, p# ^- w* w9 {, L: _  L( L2. The I/O APIC receives the signal and refers the I/O Redirection table.
, b4 I5 m/ j* S7 J2 i1 p% w3. Sending the signal from the destination Local APIC.
) t' ?. W- y% y4. Local APIC pass the signal to the processor for its delivery mode ExtINT
: e3 ]% u9 z4 }( E- H) C. i5. A processor receives the signal.
6 [0 r- T2 ]/ i0 a1 W6. The processor Assert the INTA signal.
7. The I/O APIC acknowledged.
9 b1 I3 V" f9 g6 x6 ]1 ]8. The processor Assert the second INTA signal.
9. The I/O APIC delivers the signal to the 8259a compatible PIC
% I. V# ^: S( u7 ^for ExtINT to its Delivery mode.
. r7 v7 p: ?. u5 X- E  H( m10. 8259a compatible PIC sends 2 bytes after second INTA pulse.
. ~5 |3 b, u6 s5 F! a11. The processor execute 2 bytes sended.
12. our interrupt handler executed.

" N6 `8 h  y$ Q9 R
sourcecode and binary are available on the
5 F9 J+ m) R% dhttp://www.rootkit.com/vault/chpie/apic_keyboard.zip